Target IP: 10.10.90.9
Challenge Description:
Performing a port scan shows there are two TCP ports open on the target machine, as shown above.
Doing an aggressive port scan against the two TCP ports returns the result above. The HTTP application on port 80 seems to be running WordPress 5.6 according to the scan.
┌──(kali㉿kali)-[~/Desktop/Lab-Resource/Revisit/DifferentCTF] └─$ sudo nmap -sV -A 10.10.90.9 -p 21,80 --script=vuln Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-17 11:26 EDT Nmap scan report for 10.10.90.9 Host is up (0.024s latency). PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. | http-csrf: | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.90.9 | Found the following possible CSRF vulnerabilities: | | Path: http://10.10.90.9:80/ | Form id: |_ Form action: http://adana.thm/ |_http-dombased-xss: Couldn't find any DOM based XSS. | http-wordpress-users: | Username found: hakanbey01 |_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit' | http-enum: | /wp-login.php: Possible admin folder | /phpmyadmin/: phpMyAdmin | /readme.html: Wordpress version: 2 | /: WordPress version: 5.6 | /wp-includes/images/rss.png: Wordpress version 2.2 found. | /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found. | /wp-includes/images/blank.gif: Wordpress version 2.6 found. | /wp-includes/js/comment-reply.js: Wordpress version 2.7 found. | /wp-login.php: Wordpress login page. | /wp-admin/upgrade.php: Wordpress login page. |_ /readme.html: Interesting, a readme. Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Adtran 424RG FTTH gateway (93%), Linux 2.6.32 (93%), Linux 2.6.39 - 3.2 (93%), Linux 3.1 - 3.2 (93%), Linux 3.2 - 4.9 (93%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Unix
┌──(kali㉿kali)-[~/Desktop/Lab-Resource/Revisit/DifferentCTF]
└─$ sudo nmap -sV -A 10.10.90.9 -p 21,80 --script=vuln
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-17 11:26 EDT
Nmap scan report for 10.10.90.9
Host is up (0.024s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.90.9
| Found the following possible CSRF vulnerabilities:
|
| Path: http://10.10.90.9:80/
| Form id:
|_ Form action: http://adana.thm/
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-wordpress-users:
| Username found: hakanbey01
|_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit'
| http-enum:
| /wp-login.php: Possible admin folder
| /phpmyadmin/: phpMyAdmin
| /readme.html: Wordpress version: 2
| /: WordPress version: 5.6
| /wp-includes/images/rss.png: Wordpress version 2.2 found.
| /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
| /wp-includes/images/blank.gif: Wordpress version 2.6 found.
| /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
| /wp-login.php: Wordpress login page.
| /wp-admin/upgrade.php: Wordpress login page.
|_ /readme.html: Interesting, a readme.
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Adtran 424RG FTTH gateway (93%), Linux 2.6.32 (93%), Linux 2.6.39 - 3.2 (93%), Linux 3.1 - 3.2 (93%), Linux 3.2 - 4.9 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: UnixTesting for any vulnerabilities with the nmap returns the interesting result above. The hostname seems to be adana.thm. And there is a WordPress user called hakanbey01. I inserted 10.10.90.9 adana.thm inside my /etc/hosts file. Time to enumerate further.
Port 80: HTTP
Browsing to the web application on port 80 displays the WordPress webpage above. This page contains the username hakanbey01, which I already found from reconaissance. I did not find anything important when I checked the source-code of the application.
Doing a basic directory search against the target machine returns the interesting result above. I find the directory /announcements/ interesting.
Browsing to /announcements/ directory returns the webpage above. This page contains two files: austrailian-bulldog-ant.jpg and wordlist.txt. The second file contains a bunch of passwords. Maybe I can use this password file against the WordPress application for valid credentials? Or does the image contain hidden data?
Using stegcracker and the password file, I managed to obtain the hidden data file with the name austrailian-bulldog-ant.jpg.out inside the austrailian-bulldog-ant.jpg image file.
The content of the hidden file is shown above. It is encoded in base64. Using the command base64 -d, I decoded it and obtained the plaintext above. This plaintext contains the credentials of FTP? I know FTP is open on the target machine.
Port 21: FTP
Using the credentials hakanftp:123adanacrack, I managed to successfully gain entry to the FTP application on the target machine. I know wp-config.php contains credentials. Maybe this contains the credentials of the WordPress application?
Using the command mget wp-config.php from the FTP session, I downloaded a copy of the wp-config.php on my machine. The content of this file is shown above. It contains the credentials phpmyadmin:12345 of the phpMyAdmin.
I browsed to http://www.adana.thm/phpmyadmin and logged in with the credentials phpmyadmin:12345. Now I have access to this web application. I notice there are two interesting databases: phpmyadmin and phpmyadmin1, as shown above. Both of the tables seem to contain the table wp_users.
In the image above, I now have the password hash of the user hakanbey01. However, I am unable to crack this password hash.
I created a text file called test.txt with the content hello. Then using another FTP session, I tried uploading the file and it worked. I can successfully upload items to the target machine. But when I try to access the file by http://adana.thm/wp-content/test.txt or http://adana.thm/test.txt, it does not work even though the remote directory is /.
I enumerated further. The wp_options table contains the interesting entry highlighted above. Is this a subdomain? I added this in my /etc/hosts file. Maybe I can access my test.txt file at http://subdomain.adana.thm/test.txt?
And bingo! I had to change the permission of the file to 777 to access it. Now I can access the test file at http://subdomain.adana.thm/test.txt. Time to upload a reverse shell.
I made a copy of the PHP Pentest Monkey reverse shell script with the name shell.php. Then using the FTP application on the target machine, I uploaded this reverse shell. I also changed the permission of the file to 777, so it is executable.
I started a listener on my machine at port 8444. Then I browsed to http://subdomain.adana.thm/shell.php and got a hit! Now I have a foothold on the target machine with the session as www-data, as shown above.
There is one user called hakanbey, but I am unable to browse to this user's home directory. The SSH is not open on the target machine either, so I cannot bruteforce their password. However, the task mentions sucrack which is a password bruteforcing tool. Maybe I can transfer it to the target machine and run it against this user? I transferred sucrack and the original wordlist.txt to the target machine and executed it. But I had no luck.
However, I noticed all the passwords I obtained previously started with 123adana. I created the Hashcat rule ^a^n^a^d^a^3^2^1 that adds 123adana at the beginning of each password. The password file I used is the wordlist.txt from the hidden directory. The new passwords are stored in a file called newwordlist.txt as shown above.
I transferred the new newwordlist.txt passwords list. Using sucrack, I managed to bruteforce the password 123adanasubaru of the user hakanbey as shown above.
And using the new password, I managed to successfully switch to this new user hakanbey as shown above. I have successfully elevated my privileges horizontally from www-data to hakanbey.
Running find / -perm -u=s -type f 2>/dev/null shows an unusual entry called /usr/bin/binary as shown above.
I transferred the binary application to my machine. Running strings on it shows the interesting strings above. There is some sort of hint and image. Maybe ltrace will help?
I ran ltrace on the binary and obtained the crucial information above. It looks like the application expects the input string to be warzoneinadana.
And after inputting the required string, another set of hint is provided as shown in the image above. An image from the directory of user root is copied to the /home/hakanbey/Desktop as shown above. The hint Hexeditor 00000020 with Cyberchef is interesting.
And browsing to home/hakanbey/Desktop proves true. The image has been successfully copied. I transferred this image to my machine.
Using hexeditor, I looked at the content of 00000020 and obtained FE E9 9D 3D 79 18 5F FC 82 6D DF 1C 69 AC C2 75 as shown above.
And after some manual tries, I managed to obtain the plaintext root:Go0odJo0BbBro0o. This looks like the credentials of the user root. I had to convert it from hex to base85 to obtain the credentials of the user root.
And bingo! Now I have root access on the target machine. GG.
The web.txt flag is shown above after gaining a foothold on the target machine with the session as www-data.
The user.txt flag is shown above after elevating privileges to hakanbey user.
The root.txt flag is shown above.